Presentation on theme: "Information Assurance: A Personal Perspective Ravi Sandhu www.list.gmu.edu."— Presentation transcript:
Information Assurance: A Personal Perspective Ravi Sandhu
2 Agenda Selected highlights from my 25+ years in this business (roughly chronological wrt start) Typed Access Matrix (TAM) Model Multilevel Relational (MLR) Model Role-Based Access Control (RBAC) Policy-Enforcement-Implementation (PEI) Layers Usage Control (UCON) Model TriCipher Authentication Ladder Selected ongoing research projects Assured Information Sharing Enabled by Trusted Computing Perspective on the future of Information Assurance Q&A
3 Safety in Access Control: Access Matrix Model (Lampson, 1971) U r w own V F SubjectsSubjects Objects (and Subjects) r w own G r rights
4 Safety in Access Control: HRU Model (1976) Theorem 1. Safety in HRU is undecidable Theorem 2. Safety in monotonic mono-operational HRU is undecidable
5 Safety in Access Control: TAM Model (Sandhu, 1992) Theorem 1. Safety in TAM is undecidable Theorem 2. Safety in monotonic acyclic ternary TAM is polynomially decidable
6 Safety in Access Control: From HRU to TAM HRU (HRU 1976) Take-Grant (JLS 1978) SSR (Sandhu 1983) SPM (Sandhu 1988) ESPM (Ammann-Sandhu, 1990) TAM (Sandhu, 1992)
7 The Multilevel Relational (MLR) Model: Taming Polyinstantiation (1998)
10 Role-Based Access Control: RBAC96 Model (1996) Theorem. RBAC can be configured to enforce Lattice-Based Access Control (or Bell-LaPadula), and Discretionary Access Control
11 Role-Based Access Control: The NIST/ANSI Standard Model (2004)
12 Policy-Enforcement-Implementation (PEI) Layers (2000 onwards) Objectives Policy Model Enforcement Model Implementation Model Implementation What? How?
13 PEI and RBAC Policy Neutral RBAC96, NIST/ANSI04, ARBAC97, Delegation, etc. User-Pull, Server-Pull Digital Certificates, Cookies, Tickets, SAML assertions etc. Implementation What? How?
14 PEI and RBAC: Server-Pull Enforcement ClientServer User-role Authorization Server
15 PEI and RBAC: User-Pull Enforcement ClientServer User-role Authorization Server
16 Usage Control The UCON Model (2002 onwards) unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes
18 TriCipher Authentication Ladder: Underlying Science 2-key RSA Private key: d (used to sign) Public key: e (used to verify signature) 3-key RSA Net effect: as though single private key d was used to sign, BUT Private key: d1 (used by user to partially sign) Private key: d2 (used by TACS server to partially signature) Public key: e (used to verify signature)
19 TriCipher Authentication Ladder: Underlying Science e * d = 1 mod phi(n) d1 * d2 = d mod phi(n) Stored on TACS server and used to partially sign on behalf of authenticated user Constructed on client PC from multiple factors under control of user passwordrandom string 1 random string 2 …
20 Assured Information Sharing Enabled by Trusted Computing (Ongoing work) Secure Information Sharing (IS) Share but Protect Mother of all Security Problems Trusted Computing (TC) Policy-Enforcement- Implementation Layers (PEI) & Usage Control Models (UCON)
21 Basic premise Software alone cannot provide an adequate foundation for trust Old style Trusted Computing (1970 – 1990s) Multics system Capability-based computers Intel 432 vis a vis Intel 8086 Trust with security kernel based on military-style security labels Orange Book: eliminate trust from applications Whats new (2000s) Hardware and cryptography-based root of trust Trust within a platform Trust across platforms Rely on trust in applications No Trojan Horses or Mitigate Trojan Horses and bugs by legal and reputational recourse What is Trusted Computing (TC)? Massive paradigm shift Prevent information leakage by binding information to Trusted Viewers on the client
22 What is Information Sharing? The mother of all security problems Share but protect Requires controls on the client Server-side controls do not scale to high assurance Bigger than (but includes) Retail DRM (Digital Rights Management) Enterprise DRM
23 What is Information Sharing? Strength of Enforcement Content type and value WeakMediumStrong Sensitive and proprietaryPassword-protected documentsSoftware-based client controls for documents Hardware based trusted viewers, displays and inputs Revenue drivenIEEE, ACM digital libraries protected by server access controls DRM-enabled media players such as for digital music and eBooks Dongle-based copy protection, hardware based trusted viewers, displays and inputs Sensitive and revenueAnalyst and business reports protected by server access controls Software-based client controls for documents Hardware based trusted viewers, displays and inputs Roshan Thomas and Ravi Sandhu, Towards a Multi-Dimensional Characterization of Dissemination Control. POLICY04.
24 FunctionalityStrength of enforcement SimpleComplexWeak/MediumStrong Legally enforceable versus system enforced rights. Reliance on legal enforcement; Limited system enforced controls. Strong system- enforceable rights, revocable rights. Dissemination chains and flexibility. Limited to one-step disseminations. Flexible, multi-step, and multi- point. Mostly legal enforcement;System enforceable controls. Object types supported. Simple, read-only and single-version objects. Support for complex, multi-version objects. Support for object sensitivity/confidentiality. Reliance on legally enforceable rights. System supported and enforceable rights and sanitization on multiple versions. Persistence and modifiability of rights and licenses. Immutable, persistent and viral on all disseminated copies. Not viral and modifiable by recipient. Reliance on legally enforceable rights. System enforceable. Online versus offline access and persistent client-side copies No offline access and no client-side copies. Allows offline access to client-side copies. Few unprotected copies are tolerated. No unprotected copies are tolerated. Usage controlsControl of basic dissemination. Flexible, rule-based usage controls on instances. Some usage abuse allowed. No potential for usage abuse. Preservation of attribution. Recipient has legal obligation to give attribution to disseminator. System-enabled preservation and trace- back of the attribution chain back to original disseminator. Attribution can only be legally enforced. Attribution is system enforced. RevocationSimple explicit revocations.Complex policy-based revocation.No timeliness guarantees.Guaranteed to take immediate effect. Support for derived and value-added objects. Not supported.Supported.Reliance on legally enforceable rights. System enforceable rights for derived and valued- added objects. Integrity protection for disseminated objects. Out of band or non-crypto based validation. Cryptographic schemes for integrity validation. Off-line validation.High-assurance cryptographic validation. AuditAudit support for basic dissemination operations. Additional support for the audit of instance usage. Offline audit analysis.Real-time audit analysis and alerts. PaymentSimple payment schemes (if any). Multiple pricing models and payment schemes including resale. Tolerance of some revenue loss. No revenue loss; Objective is to maximize revenue. With current state of knowledge the information sharing space is too complex to characterize in a comprehensive manner Look for sweet spots that are of practical interest and where progress (and killer products) can be made Roshan Thomas and Ravi Sandhu, Towards a Multi-Dimensional Characterization of Dissemination Control. POLICY04.
25 Classic Approaches to Information Sharing Discretionary Access Control (DAC), Lampson 1971 Fundamentally broken Controls access to the original but not to copies (or extracts) Mandatory Access Control (MAC), Bell-LaPadula 1971 Solves the problem for coarse-grained sharing Thorny issues of covert channels, inference, aggregation remain but can be confronted Does not scale to fine-grained sharing Super-exponential explosion of security labels is impractical Fallback to DAC for fine-grained control (as per the Orange Book) is pointless Originator Control (ORCON), Graubart 1989 Propagated access control lists: let copying happen but propagate ACLs to copies (or extracts) Not very successful
26 Modern Approach to Information Sharing Prevent leakage by binding information to Trusted Viewers on the client Use a mix of cryptographic and access control techniques Cryptography and Trusted Computing primitives enable encapsulation of content in a Trusted Viewer Trusted Viewer cannot see plaintext unless it has the correct keys Access control enables fine-grained control and flexible policy enforcement by the Trusted Viewer Trusted Viewer will not display plaintext (even though it can) unless policy requirements are met Enables policy flexibility and policy-mechanism separation
27 PEI Models Framework for Information Sharing
28 The Future: Three Megatrends Fundamental changes in Cyber-security goals Cyber-security threats Cyber-security technology